IT security practitioners are learning the hard way that taking legacy network security tools and applying them to cloud-based workloads doesn’t really work all that well, but few cloud-native options exist to provide the visibility and control needed to secure traffic traversing to and from, as well as between, those workloads. This is because the shared security responsibility model used by public cloud providers, such as Amazon Web Services (AWS) and others, prohibits access to physical network hardware. While agent and log-based approaches have been applied as stopgap measures to bring at least some visibility, they come with their own baggage. They can create traffic bottlenecks, increase complexity, and introduce their own vulnerabilities. Recognizing the barrier that this complexity and lack of visibility are creating for broader cloud adoption, IaaS providers are beginning to address these issues. Microsoft led the charge in 2018 at its Ignite conference when it became the first public cloud provider to offer a virtual network tap to enable out-of-band monitoring for Azure network traffic. Microsoft’s much larger rival in the IaaS market, Amazon Web Services, followed suit in late June 2019, when Amazon launched its first traffic mirroring capability for customers using its Virtual Private Cloud (VPC) service.